The new office, which would fall under the state’s Office of the Chief Information Officer, would focus on establishing security standards and policies as well as developing a centralized cybersecurity protocol for managing state IT assets.
The recent breach, which impacted the State Auditor’s Office through its cloud solution vendor Accellion, resulted in the unauthorized access of records temporarily stored in the company’s system. According to the auditor’s website, the data compromised in the breach was information provided by Washington residents who filed for unemployment between Jan. 1 and Dec. 10, 2020.
In a public hearing Tuesday, the Senate Environment, Energy and Technology Committee — chaired by Sen. Reuven Carlyle, one of the bill’s sponsors — and technology leaders met virtually to discuss the bill.
“I think that all of us know in the last number of months there have been multiple incidents of cybersecurity issues and challenges in our state,” Carlyle said. “We know the most recent issue with the state auditor is incredibly serious, and we know that the State Auditor’s Office is working very closely with a variety of folks on the core issues in addressing what happened and how to protect the public.”
In terms of specifically tackling cybersecurity issues, the senator pointed to implementing a coordinated enterprise-wide strategy in addition to addressing the state’s decentralized approach to its IT systems.
“It is simply unacceptable for Washington state both from a responsibility to the public but also to the taxpayers that we are not meeting today’s standards by not having the highest quality systems,” he said.
He expanded further on the issue, saying, “We have a radical addiction to decentralization in the state of Washington, but truthfully IT cybersecurity is just not the place for that. It’s time for us to have a stronger government structure. It’s time for us to get serious about what evidence-based best practices look like.”
As for other opinions on the bill, Scott Nelson, the director of legislation and policy affairs for the State Auditor’s Office, supported cybersecurity improvements as long as the changes do not interfere with constitutional auditing requirements.
“We know there are amendments coming to improve the strength of this legislation, and while we are anxious to ensure that they do not interfere with the requirements for auditing under the constitution, we welcome the idea of strong new guidelines to protect our most sensitive data,” Nelson said.
Sheri Sawyer, a senior policy adviser and representative for Gov. Jay Inslee’s office, also voiced support for the bill, saying, “We recognize cybersecurity is at the forefront, and it must be a priority of a post-pandemic workforce. The bill that’s before you today has a strong central authority on cybersecurity that would perform enterprise services and functions and enable broader statewide collaborations across all levels of government, improving the state’s cyber posture.”
However, questions regarding the bill and implementation of future cybersecurity strategies came up during the hearing, resulting in a discussion between Carlyle and state CIO James Weaver.
The senator questioned how WaTech would deliver the best global practices relative to data management when the agency has struggled to build an enterprise-wide strategy in the past.
Weaver responded by saying, “We need to get back to the basics to establish the best policy frameworks that exist across the country to build a program from the ground up. There’s no easy button for us to hit to magically get us to a level of maturity. We really have to get back to the basics of blocking attack language and developing that program.”
The senator also asked how WaTech would be able to combine a cloud strategy with a security strategy that offers best practices.
Weaver responded, saying, “We at WaTech are very much in favor of the cloud; however, I think we need to talk about providing digital government services along with other concepts such as broadband and cyberprivacy in addition to the cloud.”